copy access-list ethernet-service

To create a copy of an existing Ethernet services access list, use the copy access-list ethernet-services command in EXEC mode.

copyaccess-listethernet-servicesource-acldestination-acl

Syntax Description

source-acl

Name of the access list to be copied.

destination-acl

Name of the destination access list where the contents of the source-acl argument is copied.

Command Default

None

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the copy access-list ethernet-service command to copy a configured Ethernet services access list. Use the source-acl argument to specify the access list to be copied and the destination-acl argument to specify where to copy the contents of the source access list. The destination-acl argument must be a unique name; if the destination-acl argument name already exists for an access list, the access list is not copied. The copy access-list ethernet-service command checks that the source access list exists then checks the existing list names to prevent overwriting existing access lists.

Task ID

Task ID

Operations

acl

read, write

filesystem

execute

Examples

In the following example, a copy of access list list-1 is created as list-2:

Syntax Description

sequence-number

(Optional) Number of the deny statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list ethernet-service command to change the number of the first statement and increment subsequent statements of a configured access list.

Command Default

There is no default condition under which a packet is denied passing the Ethernet services access list.

Command Modes

Ethernet services access list configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the deny command following the ethernet-service access-list command to specify conditions under which a packet can pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit or deny statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list ethernet-service command to renumber the first statement and increment the entry number of each subsequent statement.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to define an Ethernet services access list named L2ACL1:

Identifies the modes and interfaces on which a particular ACL is applied.

ethernet-service access-group

To control access to an interface, use the ethernet-service access-group command in interface configuration mode. To remove the specified access group, use the no form of the command.

ethernet-serviceaccess-groupaccess-list-name
{ ingress | egress }

noethernet-serviceaccess-groupaccess-list-name
{ ingress | egress }

Syntax Description

access-list-name

Name of an Ethernet services access list as specified by the ethernet-service access-list command.

ingress

Filters on inbound packets.

egress

Filters on outbound packets.

Command Default

The interface does not have an Ethernet services access list applied to it.

Command Modes

Interface configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the ethernet-service access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the acl-name argument to specify a particular Ethernet services access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets.

If the list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns a host unreachable message.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example show how to apply filters on packets inbound and outbound from GigabitEthernet interface 0/2/0/0:

Identifies the modes and interfaces on which a particular ACL is applied.

ethernet-services access-list

To define an Ethernet services (Layer 2) access list by name, use the ethernet-services access-list command in global configuration mode. To remove all entries in an Ethernet services access list, use the no form of the command.

ethernet-servicesaccess-listaccess-list-name

noethernet-servicesaccess-listaccess-list-name

Syntax Description

access-list-name

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

Command Default

No Ethernet services access list is defined.

Command Modes

Global configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The ethernet-services access-list command places the router in access list configuration mode, in which the denied or permitted access conditions must be defined with the deny (ES ACL) or permit (ES ACL) command.

Syntax Description

sequence-number

(Optional) Number of the permit statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list ethernet-service command to change the number of the first statement and increment subsequent statements of a configured access list.

Command Default

There is no specific default condition under which a packet is permitted passing the Ethernet services ACL.

Command Modes

Ethernet services access list configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the permit command following the ethernet-service access-list command to specify conditions under which a packet can pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit or deny statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list ethernet-service command to renumber the first statement and increment the entry number of each subsequent statement.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example show how to set a permit condition for an access list named L2ACL1:

Syntax Description

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

starting-sequence-number

(Optional) Number of the first statement in the specified access list, which determines its order in the access list. Maximum value is 2147483646. Default is 10.

increment

(Optional) Number by which the base sequence number is incremented for subsequent statements. Maximum value is 2147483646. Default is 10.

Command Default

starting-sequence-number: 10

increment: 10

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the resequence access-list ethernet-service command to add a permit or deny statement between consecutive entries in an existing Ethernet services access list. Specify the first entry number (the start-sequence-number) and the increment by which to separate the entry numbers of the statements. the software remembers the existing statements, thereby making room to add new statements with the unused entry numbers.

Task ID

Task ID

Operations

acl

read, write

Examples

You need to add additional entries in the access list ahead of the first permit statement. First, you resequence the entries, renumbering the statements starting with number 20 and an increment of 10, and then you have room for additional statements between each of the existing statements:

Syntax Description

(Optional) Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

maximum

(Optional) Show the maximum number of configurable Ethernet services ACLs and ACEs.

standby

(Optional) Display all access lists in standby mode.

summary

(Optional) Display a summary of Ethernet services access lists.

hardware

(Optional) Display Ethernet services access list entries in hardware including the match count for a specific ACL in a particular direction across the line card.

usage

(Optional) Display the usage of this ACL in a given location.

ingress

(Optional) Filters on inbound packets.

egress

(Optional) Filters on outbound packets.

implicit

(Optional) Display the count of packets implicitly denied by a particular ACL.

detail

(Optional) Display TCAM entries.

sequence

(Optional) Display statistics for a specific sequence number.

sequence-number

Sequence number value. Range is 1 to 2147483647.

location

(Optional) Display information for a specific node number.

location

Fully qualified location specification

Command Default

The contents of all Ethernet services access lists are displayed.

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operations

acl

read

Examples

The following examples show how to display Ethernet services access list trace information:

Identifies the modes and interfaces on which a particular ACL is applied.

show access-list ethernet-service usage pfilter

To identify the modes and interfaces on which a particular ACL is applied, use the show access-list ethernet-service usage pfilter command in EXEC mode. Information displayed includes the application of all or specific ACLs, the interfaces on which they have been applied and the direction in which they are applied.

Syntax Description

(Optional) Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

location

Interface card on which the access list information is needed.

location

Fully qualified location specification.

all

Displays packet filtering usage for all interface cards.

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to display packet filter usage at a specific location:

show lpts pifib hardware entry optimized

To display a set of optimized entries that are combined as a single entry, inside the Ternary Content Addressable Memory (TCAM), use the show lpts pifib hardware entry optimized command in EXEC mode.

showlptspifibhardwareentryoptimizedlocation

Syntax Description

location

Mandatory. The location of the line card where the interface is present.

Command Default

None

Command Modes

EXEC

Command History

Release

Modification

Release 4.1.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operation

lpts

read

Examples

The following example shows the output of the show lpts pifib hardware entry optimizedcommand: